Unavailability Analysis for k-out-of-n:G Systems with Multiple Failure Modes Based on Micro-Markov Models

Markov models are commonly used for unavailability analysis of redundant systems. However, due to the exploding states of Markov models for redundant systems, the states need to be merged to simplify the computation, which is called micro-Markov models. However, how to derive the failure rates and repair rates of the newly developedmicro-Markovmodels has not been studied thoroughly. Therefore, this paper proposes detailed explanations and rules to derive the static unavailability by the micro-Markov models for the k-out-of-n:G systems with multiple failure modes. Firstly, two properties about applying the Markov models to the repairable systemwith independentmultiple failuremodes are presented. Based on these two properties, two rules are proposed for implementing the micro-Markovmodels.Themicro-Markovmodels provide the exact same results for the repairable k-out-of-n:G system with multiple independent failure modes and repair mechanisms and approximate results for systems with multiple hybrid failure modes. A case study of safety integrity verification for safety instrumented systems is provided to illustrate the application of the proposed method. The conceptual comparison and numerical examples demonstrate the reasonability and usefulness of the proposed micro-Markov models.


Introduction
A k-out-of-n:G system (hereinafter referred to as koon system) is a redundant system where at least  out of  components (or channels) must be functional for the redundant system to be successful [1][2][3].Due to the faulttolerant ability of the koon system, it has been widely used in process industry, oil and gas industry, nuclear industry, and so forth.Reliability analysis for koon systems is a classic issue in reliability engineering.For the koon system with a single failure mode, it is easy to derive the system reliability whether the system could be repaired immediately or not [4].However, many systems have multiple failure modes [5][6][7][8], which increases the complexity of the reliability analysis.A typical system with multiple failure modes is the safety instrumented system (SIS), which has been widely used in the process industry as an important protection layer to prevent hazardous events or mitigate their consequences [3,[9][10][11].Due to the self-diagnostic function of the SIS, the dangerous failure of the SIS can be divided into dangerous detected (DD) failure and dangerous undetected (DU) failure.The DD failure, which is detected by the self-diagnostic function, can be repaired immediately.However, the DU failure can only be detected and repaired in the proof test.As the static unavailability is an important value in the reliability analysis for safety systems [9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25], this paper focuses on the static unavailability evaluation for koon systems with multiple failure modes.
There are many modeling techniques for unavailability analysis of koon systems with multiple failure modes, for example, simplified equations [9][10][11][12][13][14][15], reliability block diagram (RBD) [16], fault tree analysis (FTA) [17,18], and Markov analysis (MA) methods [19][20][21].Rouvroye and Van den Bliek [22] compared these techniques and obtained the following conclusion: FTA and RBD are intuitive and easy to model; however, a new model has to be established for evaluating a new parameter by FTA and RBD.MA covers most aspects that affect reliability and can describe the dynamic transitions among different system states.Therefore, the MA method has been widely used in the unavailability analysis of complex systems [19][20][21][22][23][24][25].However, the states of Markov models increase explosively as the system becomes more complex, and it is fallible and time-consuming to create Markov models manually.Knegtering and Brombacher [19] proposed micro-Markov models for quantitative safety assessment for SISs, where the RBD of the system is first developed and redefined, and then the micro-Markov models are established from the redefined RBD.However, how to derive the failure rates and repair rates of the newly developed micro-Markov models has not been presented in detail.Guo and Yang [21] presented an automatic Markov modeling method to reduce the burden of computation, where the states that have identical transition rates to common states are merged.However, the states with nonidentical transition rates have not been merged.
Another issue about the micro-Markov models is to transform the nonrepairable failure into the repairable failure.If the failure modes are all nonrepairable, the system reliability can be addressed by the classical probability analysis methods, for example, RBD method [15].Otherwise, if the failure modes are all repairable, Markov models could be used.However, many systems include repairable and nonrepairable failure modes simultaneously, which is called hybrid failure modes in this paper.Take the SIS for example; the DU failure can be regarded as the nonrepairable failure mode which is only repaired in the proof test, while the DD failure is repairable.For the hybrid failure modes, using the MA method directly could result in heavy computation to derive the analytical formulas of reliability since the system is trapped in the absorbing state of the nonrepairable failure.
There are two main ways to solve this problem.The first way is regarding the repairable failure as a failure with static failure probability, and thus the system reliability can be analyzed by the FTA method [17].However, it is complex to build the fault trees for highly redundant systems.The second way is transforming the nonrepairable failure as the repairable failure, which is called the approached MA method in [23,24].The approached MA method has already been applied to the low redundant system, for example, 1oo1 system, 1oo2 system, and 2oo3 system [20,[23][24][25][26], and the accuracy is satisfied.However, whether the approached MA method could be applied to the highly redundant system and how to derive the approached Markov models for a general koon system have not been presented in detail.
From the above review of the related researches, it can be observed that there are two main issues remaining to be solved.The first is how to merge the states for the koon systems with multiple failure modes, which is central to the micro-Markov models.The second is how to transform the nonrepairable failure as the repairable failure for the general koon system.In response to these two issues, a property about applying the Markov models to the repairable system with a single failure mode is first presented.Based on this property, we present a rule for transforming the nonrepairable failure to a repairable failure for the general koon system.This is the first contribution of this paper.Secondly, the states of the koon system with multiple failure modes are merged, and thus the koon system with multiple failure modes can be transformed to that with a single failure mode.A property regarding this transformation is proposed.This is the second contribution of this paper since the states can be merged reasonably.Then, two rules are proposed for implementing the micro-Markov models based on these two properties.Additionally, we present a case study about the safety integrity verification of the SIS and obtain the simplified equations.Finally, a conceptual comparison and a numerical example are presented to illustrate the application and usefulness of the proposed method.
The remainder of this paper is organized as follows.Section 2 introduces the associated acronyms, notations, and assumptions.Section 3 presents two properties about applying the Markov models to the repairable system and proposes the mechanism regarding how to merge the states for a general koon system.In Section 4, we apply the results obtained in Section 3 to a case study about the safety integrity verification for the SIS and provide a numerical example to illustrate the application and usefulness of the proposed method.Section 5 concludes the paper with a discussion.

𝐶 𝑘
: number of combinations of size "k" from a set with "n" components    : number of permutations of size "k" from a set with "n" components   : the duration of time after system failure due to the undetected failures  1 : proof test interval   : dangerous failure rate  DD : dangerous detected failure rate  DU : dangerous undetected failure rate  DD : repair rate for dangerous detected failure   : the repair rate for a koon system from state j to state  − 1    : the repair rate for a koon system from state j to state  − 1 with considering the CCF : beta factor for DU failures   : beta factor for DD failures.

Assumptions
(i) All the  components in a koon system are identical and independent.
(ii) The failure modes in one component are identical with those in other components (i.e., with the same failure rates and repair rates).
(iii) The failure modes in one component are independent of each other and independent of the failure modes in other components.
(iv) The unrepairable failure mode can only be detected in a proof test ( 1 ), and if detected it is repaired in the time of MRT (mean repair time).
(v) The repairable failure mode can be detected and repaired immediately.If the repairable failure of a component is being repairing, the component is not functioning.(1) The mean down time (MDT) of a 1oon system (MDT 1oo ) is 1/  .

Modeling koon Systems by the Micro-Markov Models
(2) For any koon system,   = 1/MDT 1oo , where MDT 1oo represents the MDT of a 1ooj system.
Proof.For a 1oon system, the system fails only in state  and the MDT of the 1oon structure is 1/  .For a koon system as shown in Figure 1, it can be observed that when the process enters state  with  faults, the repair team will start repairing and will bring the system to state  − 1 after a mean repair time of 1/  .As the  failure components are independent of the other  −  working components, the mean repair time from state  to state  − 1 (1/  ) is equal to the MDT of a 1ooj system.This completes the proof.
The second result of Proposition 1 demonstrates the relationship between the repair rates and the MDTs of the 1out-of-j systems.This relationship provides a reasonable way to transform the nonrepairable failure to the repairable failure or to combine the multiple failure modes to a single failure mode.Based on Proposition 1, we propose novel micro-Markov models in the following subsection.

Micro-Markov Models for koon Systems with Multiple
Repairable Failure Modes.As mentioned above, multiple failure modes exist widely in redundant systems.Therefore, it is necessary to combine the multiple failure modes to reduce the burden of computation.In the following, we first propose micro-Markov models for koon systems with two repairable failure modes as illustrated in Proposition 2.
The assumption of Proposition 2 is that the failure and repair of any component are independent of that of other components.
Proposition 2. For a koon system, each component has two failure modes with failure rates  1 and  2 , and the repair rates of the two components are  1 and  2 , respectively.The state unavailability of the koon system with two failure modes equals a transformed koon system with a single failure mode, whose failure rate and failure rate are , respectively.Moreover, the transformed koon system has independent failure and repair rate.
Proof.As the derivation of Proposition 2 changes due to the size of the system, we only give detailed derivation for a duplicate system for an illustrative purpose.The derivation for other systems, for example, one component system and triplicate system, is similar.The Markov states transition diagram for a duplicate system is shown in Figure 2.
From Figure 2(a), we derive the transition matrix for the original duplicate system as follows: Let   ( = 0, 1, 2, . . ., 5) represent the steady state probability of state  for the original duplicate system; then, we have By solving the above equations, we have where From Figure 2(b), let   ( = 0, 1, 2) represent the steady state probability of state  for the transformed duplicate system; the following result can be obtained after some manipulations: Substituting ( This completes the proof. Proposition 2 is based on the result of Proposition 1.To transform the multiple failure modes to a single failure mode, the MDT of any 1-out-of-j system is calculated by adding the individual MDTs of the two failure modes, that is, 1/( 1 ) and 1/( 2 ), in direct proportion to each failure's contribution to the failure probability of the system.Thus, we have Similar procedure to derive the system MDT has also been presented in Chapter 9.3 in [27].Let 1/  =  1 /   1 +  2 /   2 ; that is,   =    1  2 /( 1  2 +  2  1 ); the novel koon system with a single failure mode can be derived.
Proposition 2 demonstrates how to transform the koon system with two failure modes to that with a single failure mode.It can also be generalized to the koon system with multiple failure modes, which is summarized in Proposition 3. Proposition 3.For a koon system, each component has  failure modes with failure rates  1 ,  2 , . . .,   , and the repair rates of these  failure modes are  1 ,  2 , . . .,   .The state unavailability of the koon system with multiple failure modes equals the transformed koon system with a single failure mode, whose failure rate and the inverse of the failure rate are   = ∑  =1   and 1/  = ∑  =1   /    , respectively.Moreover, the transformed koon system has independent failure rates and repair rates.
Proof.Mathematical induction is used to prove Proposition 3. From Proposition 2, it can be observed that the koon system with two failure modes is equivalent to the transformed system with a single failure mode.Assume that the koon system with  failure modes is equivalent to the transformed system with a single failure mode with failure rate   = ∑  =1   and repair rate, whose inverse is 1/  = ∑  =1   /    .Therefore, the koon system with  + 1 failure modes can be transformed to the system with two failure modes.The failure rates of the two transformed modes are, respectively,   and  +1 , and the repair rates are   and  +1 .Based on Proposition 2, the two failure modes of the transformed system could continue to be combined, and thus the failure rate and repair rate of the final transformed system can be written as follows: This completes the proof.
Compared with Proposition 1, Propositions 2 and 3, add an assumption that the repair rates are independent.In other words, Propositions 2 and 3 are correct on condition that there are  repair crews for a koon system.Although Propositions 2 and 3 may not be strictly correct when the repair rates are not independent, it provides a reasonable way to combine the multiple modes together.

The Rules of the Micro-Markov Models.
Overall, from the above analysis of applying the Markov models to koon systems with multiple failure modes, we obtain two rules of the micro-Markov modes.
Rule 1.For a koon system, the repair rate from the state with  failed components to the state with ( − 1) failed components can be represented by the inverse of the MDT of the 1-out-of-j system.
Rule 2. For a koon system with  failure modes, it can be transformed to a novel system with a single failure mode.The failure rate and repair rate of the transformed system fit the following criteria: Note that Rule 1 is strictly correct for the repairable system and Rule 2 is strictly correct for the repairable system with multiple independent failure modes.However, whether these rules could derive satisfactory results for the system with nonrepairable failure modes or hybrid failure modes has not been demonstrated; we address this issue in the next section through a case study.

A Case Study
4.1.Safety Integrity Level Verification.Safety instrumented systems (SISs) are widely used in the process industry as an important protection layer to prevent hazardous events or mitigate their consequences.Safety integrity level (SIL) is proposed to measure how well a SIS performs its intended function by the safety standards: IEC 61508 and IEC 61511 [9,10].And SIL verification is to verify that whether the reliability of the SIS meets the required level.For the low demand mode of SIS operation, the SIL of a SIS is defined in terms of the average probability of failure on demand (PFD avg ), which could be represented by the static unavailability of the system.The relation between the SIL and the PFD avg is shown in Table 1.
The PFD avg evaluation is concerned with the voting logic of the redundant systems, failure rates, diagnostic coverage, proof test interval, common cause failure (CCF), and some other factors [3].Since the SIL verification is provided as a case study to validate the results of the micro-Markov models, we mainly consider the dangerous failure and its repair time.The dangerous failure with failure rate   means the failure to perform the protective function when required.Due to the self-diagnostic function of SIS, the dangerous failure can be divided into DU failure and DD failure with the failure rates of  DD and  DU , respectively.Consider Additionally, diagnostic coverage of dangerous failure (DC  ), expressed as a percentage, is represented by the ratio of DD failure to the total dangerous failure.
As discussed previously, the repair mechanisms of the DU failure and DD failure are different; thus it is difficult to derive the analytical PFD avg by using Markov models directly.Therefore, the simplification equations of PFD avg have been presented, for example, the typical simplified equations by IEC 61508.However, since IEC 61508 does not give detailed explanations of PFD avg calculations, which are difficult to understand for common safety engineers.Even in the IEC 61508 committee, the issues, how to calculate PFD avg and which models should be used, are controversial [4].
In order to give detailed explanations to the simplified equations by IEC 61508, Zhang et al. [20] redefined the equivalent MDT of the undetected failure and derived the equivalent MDTs of 1oo1 and 1oo2 architectures.Then, the PFD value of a few typical architectures was calculated by the MA method.Guo and Yang [16] calculated the equivalent MDT by using the ratio of steady failure probability to the steady failure frequency and evaluated the PFD value for the most used architectures by the RBD method.However, these obtained results are different from the equations given by the IEC 61508 standard [9], which may confuse the safety engineers.Innal [23] explained the analytical formulas presented in the IEC 61508 by the approached Markov model.This paper attempts to solve this problem by the two rules of the micro-Markov models proposed in Section 2. The key issue of the micro-Markov models is to derive the repair rate of the states, which is handled in the next subsection.

Equivalent MDT.
From Rule 1, it can be observed that the repair rate is determined by the MDT of the 1oon system.As the DD failure is repairable, we first calculate the MDT of the DU failure, which is called equivalent MDT time for the SISs.
It is assumed that the DU failure is only detected in the proof test with the interval of  1 .The MDT is generated from the time of the DU failure to the proof test and the repair time, as shown in Figure 3.In the figure, t is the time when the DU failure occurs, MRT is the mean repair time if the DU failure is detected in the proof test, t a is the mean time when system failure due to the DU failures occurs over the interval [0,  1 ], and   is the duration of the down time.
Zhang et al. [20] gave a clear definition of the equivalent MDT for the DU failure and provided the result of the equivalent MDT for the 1oo1 system and 1oo2 system.However, it is not applicable to the case when the system size changes.Thus, we attempt to calculate the equivalent MDT for a common 1out-of-n system.For a 1oon system, the cumulative distribution function for the DU failure is Hence, the mean time when system failure due to the DU failures occurs over the interval [0,  1 ] (t a ) can be formulated as Set u =  DU  and x =  DU  1 ; then we get Since x =  DU  1 ≪ 1, t a can be approximately calculated as From ( 13), it can be observed that the approximate value of t a is independent of  DU .
Referring to Figure 3, the approximation of the equivalent MDT of DU failures for a 1-out-of-n system is The DD failure is detected by the self-diagnostic function of SISs and can be repaired immediately in the time of MTTR, which denotes the mean time to restoration for the DD failure.It is assumed that the failure and repair rate of the DD failure are independent.Thus, from Proposition 1, the MDT of DD failures for the 1-out-of-n system can be formulated as Based on Rule 2, the equivalent MDT of the combined two failure modes for the 1-out-of-n system (MDT 1oo ) can be calculated based on the law of total probability.It is composed of the MDT of the DU failure with a conditional probability  DU /  and the MDT of the DD failure with a conditional probability  DD /  .Then, we have After determining the component equivalent MDT for the 1-out-of-n system, the repair rate can be represented by the inverse of the equivalent MDT.Then, the PFD avg of the koon system can be analyzed, as illustrated in the next subsection.

PFD 𝑎𝑣𝑔 Calculation by
Micro-Markov Models.For the koon system, the system fails when at least  −  + 1 components fail.The micro-Markov state transition diagram could be represented by Figure 1.Let   ( = 0, 1, 2, . . ., ) represent the steady state probability; from Figure 1, we derive the transition matrix as follows: where   is inverse of MDT 1oo .
Let   ( = 0, 1, 2, . . ., ) represent the steady state probability of state ; then we have By solving the above equations, we have Then, the PFD koon can be written as 4.4.PFD  Calculation with Considering the CCF.Common cause failure (CCF) is a phenomenon which mitigates the effects of redundancy, and thus it often plays a dominating role for the unavailability of a koon system.CCF is a dependent failure when two or more redundant components fail simultaneously or within a short time interval, due to a shared cause.There are several models for quantification of CCF in SISs, such as -factor model [9], multiple beta factor (MBF) [28,29] model, and the PDS model [30].
The -factor model, as suggested by IEC 61508, is the most popular CCF model due to its simplicity.The -factor represents the fraction of the total failure rate that can cause all channels to fail.Therefore, the existence of CCF splits the DD failure and DU failure into independent failure parts and CCF parts, which can be, respectively, expressed as follows: If the -factor model is used to model CCF, the CCF part can be regarded as an independent part with the independent failures in the reliability block diagram of the koon system and thus the CCF can be included as an add-on to the system unavailability.Then, the PFD koon with CCF can be calculated as where The derived equations of PFD koon in ( 20) and ( 22) can also be regarded as simplified equations for the SIL verification.

Conceptual Comparison.
From the above derivation of the PFD koon , it can be observed that there are two main steps of transforming the DU failure and DD failure into a single failure mode.The first is transforming the DU failure as a repairable failure.The second is combining the two failure modes to a single failure mode.In order to compare the results of the micro-Markov models with the actual results, we present a conceptual comparison in this subsection.As the unavailability equations of the CCF part are the same in different methods, we only compare the independent part of the unavailability.The numerical comparison of some typical koon systems is presented in the next subsection.
Firstly, the results of transforming the DU failure into a repairable failure are compared with the actual results.For the DU failure, the exact results can be derived by the classic probability method, for example, the RBD method or the FTA method.To implement the comparison, the mean repair time of  DU is assumed to be zero (i.e., MRT = 0) and the CCF is not considered (i.e.,  = 0 and   = 0).Then, we propose the following proposition.

Proposition 4. Let 𝑃𝐹𝐷 𝑚
and    represent the PFD avg calculated by the transformed Markov models and the classic probability method, respectively; then, the following holds on condition that    1 ≪ 1: Proof.Let   ( = 0, 1, 2, . . ., ) represent the steady state probability; from Figure 1 and (19), we can obtain that where   ≈ ( + 1)/ 1 .Then, the PFD  oo can be written as For the SIS, it is generally known that ( + 1)/ 1 ≫  DU ; thus   / DU ≫ 1.Then, we have It follows that Additionally, the exact results derived by the classic probability method could also be simplified as [27,31] This completes the proof.
Proposition 4 indicates that when  DU  1 ≪ 1, the transformation of the nonrepairable failure to the repairable failure leads to satisfactory results.In the following, we demonstrate the effect of combining the DU failure and DD failure to a single failure mode.The comparison is made when only one type of failure exists.The results are summarized in Proposition 5.

Proposition 5. The results of PFD koon evaluated by the micro-Markov models when only one type of failure exists are consistent with the results by the classic probability when only one type of failure is considered.
Proof.For the SIS, it is generally known that   ≫   ; thus the PFD oo in (20) can be simplified as Mathematical Problems in Engineering 9 a The PFD 1oo3 equation is not given in [16,20].The PFD 1oo3 equation is not given in [16,20].
If  DD = 0 and MRT = 0, (28) can be simplified as It is in accord with the results by the classic probability method when the DU failure is only considered; see (27).
If  DU = 0, (28) can be simplified as It is consistent with the results by the classic probability method; see [31].This completes the proof.
From Proposition 5, it can be observed that when only one type of failure exists, the results via the micro-Markov models are in accord with the results when only one type of failure is considered.We further compare the simplified equations through some typical koon systems when only one type of failure exists.The simplified equations are illustrated in Tables 2 and 3.The equations presented by [4] are deduced when only one type of failure is considered, which are also consistent with the equations presented by Smith [31] and Rausand and Høyland [27].It can be observed that only the simplified equations derived in this paper are equal to the equations presented in [4].
The reason why different results are obtained by different references can be explained as follows.The equivalent MDT of a component or the group is an approximation.Different approximation assumptions could obtain different results.Take the 1oo2 system for instance; the group equivalent MDT is approximately equal to ( DU /  )( 1 /3 + MRT) + ( DD /  )(MTTR/2) (see (16)).However, the approximate results from IEC 61508 [16,20] are ( DU /  )( 1 /3 + MRT) + ( DD /  )MTTR, ( DU /2  )( 1 /2 + MRT) + ( DD /  )(MTTR/2), and ( DU /2  )( 1 /3+MRT) + ( DD /  )(MTTR/2), respectively.Therefore, the controversial results are obtained.However, regardless of approximation process, the results by combining the failure modes should be consistent with those when only one type of failure modes is considered.Thus, the group equivalent MDTs in these references have not been accurately approximated.This verifies the results via micro-Markov models to some extent.

Numerical Comparison.
In this experiment, we compare the results by the micro-Markov models with some classic probability methods.Similar to the above subsection, the transformation of the DU failure to a repairable failure is first compared.For simplicity, the calculation of PFD avg by the classic probability method, the presented micro-Markov model in this paper (i.e., (20)), and the simplified equations presented by IEC 61508 are referred to as  0 ,  1 , and  2 , respectively.To compare these methods, the  0 is regarded as a basic method and the relative error is used to implement the comparison.The relative error expressed as a percentage is represented by the ratio of the difference between the result of  0 and  1 (or  2 ) to that of  0 .
We consider a triple system for an illustrative purpose.With different proof test intervals, the value of  DU  1 changes from 0.033 to 0.263.The compared results are illustrated in Table 4, where RE1 and RE2 represent the relative error of  1 and  2 , respectively.In Table 4, it can be observed that the relative error increases with the increase of the value of  DU  1 for any koon system and the relative error of  1 is always smaller than that of  2 .This implies that  1 obtains more accuracy results than  2 .When the value of  DU  1 is small (e.g.,  DU T 1 = 0.033), the relative error of  1 and  2 is able to meet the accuracy requirements.However, for the case that  1 = 4 years, that is,  DU  1 = 0.263, the relative error of  2 for 3oo3 system is −27.9%.In such circumstances, for  2 , the methods which have more fundamental principles, for example, FTA or RBD method, should be used.In the following, we utilize the method presented in [17] as a basic method to perform the comparison, which has more fundamental principles for the SIS.The method presented in [17] assumes that the unavailability caused by the DD failure is a constant value denoted by  > 0. However, the constant value is directly added to the instantaneous unavailability, which is an approximate value.Take the 1oo1 system for example; we have PFD() =  + 1 −  − .However, when  → ∞, the unavailability equals PFD =  + 1 > 1.This is not consistent with the assumption that the unavailability is less than or equal to 1. Thus, in this paper, we remedy this deficiency as follows.Essentially, the constant value  can be regarded as a static failure probability.Thus, the instantaneous unavailability can be represented as PFD() = 1 − (1 − ) − = 1 −  − +  − .This is consistent with the assumption.For simplicity, the method presented in [17] is referred to as   0 .Table 5 gives the compared results, where the value of DC D changes from 25% to 75%.It is shown that the relative error of  1 is always smaller than that of  2 .And the maximum value of the relative error of  1 is 2.67%, which could satisfy the accuracy requirements.Overall, the presented method could obtain the desired results for the SIL verification and can be potentially applied to other koon systems.

Concluding Remarks
This paper proposes micro-Markov models for the reliability analysis of koon systems with multiple failure modes.Two rules are proposed to implement the micro-Markov models.For the repairable koon systems with multiple independent failures and repairs, the micro-Markov models could derive the same results with the basic Markov models.For the koon systems with hybrid failure modes, approximated and satisfied results could be obtained by the micro-Markov models.A case study regarding the SIL verification for the SIS indicates that when only one type of failure modes exists, the results derived by the micro-Markov models are consistent with the results by the classic probability method when only one type of failure modes is considered.When the DU failure and the DD failure both exist, the results are approximately equal to the results by the methods with more fundamental principles.Additionally, simplified equations are presented for the SIL verification.In summary, the micro-Markov models can be applied to the koon systems with multiple failure modes.
In this paper, we mainly discuss how to develop the micro-Markov models for the koon systems with multiple failure modes.However, we only use the simple beta factor model to model CCF, which could not distinguish between different koon systems.To improve the accuracy of modeling CCF, more advanced CCF models (e.g., the MBF model) should be used, and how to use the micro-Markov models with the MBF model needs to be further exploited.Additionally, as the koon system normally works in a finite time zone, it obtains a pessimistic evaluation by using the static unavailability of the repairable failure to represent the average unavailability in the finite time zone.To derive a better evaluation in a finite time zone, the time independent Markov method should be used.However, for the koon system with multiple failure modes, especially for the system with hybrid failure modes, it is different to obtain the exact and closed form solution of the system unavailability.This may encourage the research that is reducing the computation complexity of the time-independent unavailability for koon systems.

2. 1
. Acronyms CCF: common cause failure DD: dangerous detected failure DU: dangerous undetected failure FTA: fault tree analysis koon: k-out-of-n:G system MA: Markov analysis RBD: reliability block diagram SIL: safety integrity level SIS: safety instrumented system.

Figure 2 :
Figure 2: Markov states transition diagram for a duplicate system.((a) Original duplicate system with two failure modes; (b) transformed duplicate system with a single failure mode).

MRTFigure 3 :
Figure 3: Failure process of the DU failure.
If there are  repair crews existing, then   = .If only one repair crew exists, then   = .To represent a general condition, we use   to describe the failure rate.)Then the following holds.

Table 1 :
SIL for the low demand mode of operation.

Table 3 :
Comparison of PFD avg equations only considering the DD failure.